Mobile Financial App Security Appears Shaky

IBM has made mobile a key strategic imperative going forward, even discounting mobile software license charges on z. However, a recent study suggests that mobile apps may be less secure than app users think. For example, 83% of the app users surveyed felt their applications were adequately secure. Yet, 90% of the applications Arxan Technologies tested were vulnerable to at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks.

The OWASP Top Ten is an awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Security experts will use the list as a first step in changing the security awareness and software development culture around security in organizations around the world. You can find the Arxan report here.

In the latest study, 41% of mobile finance app users expect their finance apps to be hacked within the next six months. That’s not exactly a vote of confidence. Even worse, 42% of executive IT decision makers, those who have oversight or insight into the security of the mobile finance apps they produce, feel the same way. Does this bother you?

It should. The researchers found that 81% of app users would change providers if apps offered by similar providers were more secure. While millennials are driving the adoption of mobile apps, their views on the importance of app security were equally as strong as the older non-millennials. Overall, survey results showed very little geographical discrepancies across the US, UK, Germany, and Japan.

This sentiment makes it sound like mobile finance applications are at a hopeless state of security where, despite Herculean efforts to thwart attackers, adversaries are expected to prevail. But the situation is not hopeless; it’s careless. Half the organizations aren’t even trying. Fully 50% of organizations have zero budget allocated for mobile app security—0, nothing, nada—according to the researchers. By failing to step up their mobile security game organizations risk losing customers to competitors who offer alternative apps that are more secure.

How bad is the mobile security situation? When put to the test, the majority of mobile apps failed critical security tests and could easily be hacked, according to the researchers. Among 55 popular mobile finance apps tested for security vulnerabilities, 92% were shown to have at least two OWASP Mobile Top 10 Risks. Such vulnerabilities could allow the apps to be tampered and reverse-engineered, which could clearly put sensitive financial information in the wrong hands or, even worse, potentially redirect the flow of money. Ouch!

Think about all the banks and insurance companies that are scrambling to deploy new mobile apps. As it turns out, financial services organizations, the researchers report, also are among the top targets of hackers seeking high-value payment data, intellectual property (IP), and other sensitive information. Specifically, employee, customer, and soft IP data are the top three targets of cyber-attacks in the financial services market; while at the same time theft of hard IP soared 183% in 2015, according to PwC, another firm researching the segment.

With the vast majority of cyber-attacks happening at the application layer, one would think that robust application security would be a fundamental security measure being aggressively implemented and increasingly required by regulators, particularly given the financial services industry’s rapid embrace of mobile financial apps. But apparently it is not.

So where does the financial mobile app industry stand? Among the most prevalent OWASP Mobile Top 10 Risks identified among the mobile finance apps tested the top 2 risks were:

1) Lack of binary protection (98%) – this was the most prevalent vulnerability

2) Insufficient transport layer protection (91%).

A distant third, at 58%, was unintended data leakage. All these vulnerabilities, the top two especially, make the mobile financial applications susceptible to reverse-engineering and tampering in addition to privacy violations and identity theft.

DancingDinosaur is Alan Radding, a veteran information technology analyst and writer. Please follow DancingDinosaur on Twitter, @mainframeblog. See more of his IT writing at technologywriter.com and here.